The Web Must Get Better At Patching Vulnerable Servers

In October 2016, researchers from Talos discovered and disclosed several critical vulnerabilities in Memcached. Patches were made available, but as of earlier this year, approximately 80% of Memcached instances remain vulnerable. Unpatched Memcached instances present a severe security risk to colocation data center clients.

We’re all familiar with the collaborative mechanism by which software vulnerabilities are fixed. Vulnerabilities are discovered by security researchers or developers, hopefully before they’re discovered by criminals. They’re disclosed to the relevant vendor or project. The vulnerability is fixed and a patch is released. Server administrators install the patch and their servers are no longer vulnerable.

Except all too often that’s not what happens. Vulnerabilities are discovered and patches are released, but a massive proportion of the vulnerable software is never patched. As Talos researchers Aleksandar Nikolich and David Maynor point out, this tardiness where patching is concerned is also in large part responsible for the success of recent global ransomware attacks.

We’re not talking about a non-technical user who neglects to update Windows on their laptop or their WordPress blog. Memcached is a tool used by professionals who know how risky it is to use out-of-date software on servers that handle sensitive customer or business data.

Memcached is an enormously popular piece of software used to increase the performance of web applications. It’s installed on hundreds of thousands of servers. Last year, a cluster of buffer overflow vulnerabilities were discovered in the code that controls Memcached’s processes for adding and updating stored objects. The vulnerabilities could reliably be exploited to exfiltrate data and exploit servers.

After the researchers at Talos disclosed the vulnerability, patches were released and patched versions of Memcached were pushed out to major Linux distribution repositories.

Several months later, the researchers scanned more than 100,000 Memcached instances that were accessible from the internet and discovered that 85,121 were still vulnerable. Only 21% of the scanned servers were not vulnerable.

Even worse, Talos sent emails to over 30,000 organizations notifying them that their servers were vulnerable. Scanning six months later showed that the number of vulnerable servers had only improved by around 10%.

The important message here is that if you’re running an unpatched version of Memcached on your servers, it would be wise to update as soon as possible. These vulnerabilities have been in the wild for a long time and it’s likely they’re being actively exploited.

If your servers are running vulnerable versions of Memcached, take the time to review your security procedures and patch management policies. There’s no good reason Memcached instances accessible from the open internet should remain unpatched more than a year after the fix was released. In fact, there’s no good reason for Memcached instances to be accessible from the open internet at all, but that a story for another day.